CSRF attack though ALB cookies because of samesite=none

0

I have a web application with tomcat, and I configured the jsessionid cookie for samesite=lax, and it prevents CSRF attacks. When I put the application behind an ALB with OIDC authenticator, I encounter the following issue:

  • ALB cookies explicitly set samesite=none.
  • The CSRF attack is a form POST submit from an external page. It sends the ALB cookies together with the request, but doesn't send my jsessionid cookie (as expected).
  • The ALB lets the request pass into the my application. The application sees this is a new session with an authenticated user and treats it as a legitimate request (typically it is the first request of the user after login and redirect from the IDP). It loads the user details and then proceeds with the request. Thus, the CSRF attack succeeds.

How can I solve this? Is there a way to change the cookies in the ALB to use samesite=lax?

yoni
已提問 1 年前檢視次數 259 次
2 個答案
0

Hi Yoni , If the SameSite attribute is set to Lax, then the browser will include the cookie in requests that originate from another site but only if two conditions are met:

The request uses the GET method. Requests with other methods, such as POST, will not include the cookie. The request resulted from a top-level navigation by the user, such as clicking a link. Other requests, such as those initiated by scripts, will not include the cookie.

Most CSRF attacks tend to happen on POST requests. So the LAX mode is only a partial defense. You should use it in conjunction with CSRF tokens. You can use Spring Security (if you are using Java and Spring) or you can use the CSRFGuard from OWASP. Please see the link below for the CSRF Guard

https://owasp.org/www-project-csrfguard/

The OpenID connect protocol does not have any specifications for CSRF .Here are a few resources that might help you (see below) but the general pattern is to use the state parameter. Some reputed OpenId providers do provide protection but the smaller ones do not.

https://developer.amazon.com/docs/login-with-amazon/cross-site-request-forgery.html

https://technospace.medium.com/csrf-in-idp-initiated-openid-connect-7a2873420e86

https://developers.google.com/identity/openid-connect/openid-connect

AWS
Gaurav
已回答 1 年前
  • Thank you for this finely crafted answer, but it actually adds nothing to my question in way of a solution. I care about POST requests, not GET, and I know what OIDC is. The question is about the ALB cookies, that effectively allow a request from answer site to pass-through

0

Yoni, you can utilize duration based stickiness and give it a shot. This way your cookie (JSESSIONID) will maintain the lax value. Please , see the following resource

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html

Give it a shot.

AWS
Gaurav
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南